NSS 3.12.1 Release Notes¶
Network Security Services (NSS) 3.12.1 is a patch release for NSS 3.12. The bug fixes in NSS 3.12.1 are described in the “Bugs Fixed” section below. NSS 3.12.1 is tri-licensed under the MPL 1.1/GPL 2.0/LGPL 2.1.
The CVS tag for the NSS 3.12.1 release is NSS_3_12_1_RTM. NSS 3.12.1 requires NSPR 4.7.1. See the Documentation section for the build instructions. NSS 3.12.1 source and binary distributions are also available on ftp.mozilla.org for secure HTTPS download:
Source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_1_RTM/src/.
Binary distributions: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_1_RTM/. Both debug and optimized builds are provided. Go to the subdirectory for your platform, DBG (debug) or OPT (optimized), to get the tar.gz or zip file. The tar.gz or zip file expands to an nss-3.12.1 directory containing three subdirectories:
include - NSS header files
lib - NSS shared libraries
bin - NSS Tools and test programs
You also need to download the NSPR 4.7.1 binary distributions to get the NSPR 4.7.1 header files and shared libraries, which NSS 3.12.1 requires. NSPR 4.7.1 binary distributions are in https://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.7.1/.
New in NSS 3.12.1¶
New functions in the nss shared library:
- CERT_NameToAsciiInvertible (see cert.h)
Convert an CERTName into its RFC1485 encoded equivalent. Returns a string that must be freed with PORT_Free(). Caller chooses encoding rules.
- CERT_EncodeSubjectKeyID (see cert.h)
Encode Certificate SKID (Subject Key ID) extension.
- PK11_GetAllSlotsForCert (see pk11pub.h)
PK11_GetAllSlotsForCert returns all the slots that a given certificate exists on, since it’s possible for a cert to exist on more than one PKCS#11 token.
Levels of standards conformance strictness for CERT_NameToAsciiInvertible (see certt.h)
(maximum human readability)
(strict RFC compliance)
The following bugs have been fixed in NSS 3.12.1.
Bug 67890: create self-signed cert with existing key that signed CSR
Bug 129303: NSS needs to expose interfaces to deal with multiple token sources of certs.
Bug 311432: ECC’s ECL_USE_FP code (for Linux x86) fails pairwise consistency test
Bug 330622: certutil’s usage messages incorrectly document certain options
Bug 330628: coreconf/Linux.mk should _not_ default to x86 but result in an error if host is not recognized
Bug 359302: Remove the sslsample code from NSS source tree
Bug 372241: Need more versatile form of CERT_NameToAscii
Bug 390296: NSS ignores subject CN even when SAN contains no dNSName
Bug 401928: Support generalized PKCS#5 v2 PBEs
Bug 403543: pkix: need a way to enable/disable AIA cert fetching
Bug 408847: pkix_OcspChecker_Check does not support specified responder (and given signercert)
Bug 414003: Crash [[@ CERT_DecodeCertPackage] sometimes with this testcase
Bug 415167: Memory leak in certutil
Bug 417399: Arena Allocation results are not checked in pkix_pl_InfoAccess_ParseLocation
Bug 420644: Improve SSL tracing of key derivation
Bug 426886: Use const char* in PK11_ImportCertForKey
Bug 428103: CERT_EncodeSubjectKeyID is not defined in any public header file
Bug 429716: debug builds of libPKIX unconditionally dump socket traffic to stdout
Bug 430368: vfychain -t option is undocumented
Bug 430369: vfychain -o succeeds even if -pp is not specified
Bug 430399: vfychain -pp crashes
Bug 430405: Error log is not produced by CERT_PKIXVerifyCert
Bug 430743: Update ssltap to understand the TLS session ticket extension
Bug 430859: PKIX: Policy mapping fails verification with error invalid arguments
Bug 430875: Document the policy for the order of cipher suites in SSL_ImplementedCiphers.
Bug 430916: add sustaining asserts
Bug 431805: leak in NSSArena_Destroy()
Bug 431929: Memory leaks on error paths in devutil.c
Bug 432303: Replace PKIX_PL_Memcpy with memcpy
Bug 433177: Fix the GCC compiler warnings in lib/util and lib/freebl
Bug 433437: vfychain ignores the -a option
Bug 433594: Crash destroying OCSP Cert ID [[@ CERT_DestroyOCSPCertID ]
Bug 434099: NSS relies on unchecked PKCS#11 object attribute values
Bug 434187: Fix the GCC compiler warnings in nss/lib
Bug 434398: libPKIX cannot find issuer cert immediately after checking it with OCSP
Bug 434808: certutil -B deadlock when importing two or more roots
Bug 434860: Coverity 1150 - dead code in ocsp_CreateCertID
Bug 436428: remove unneeded assert from sec_PKCS7EncryptLength
Bug 436430: Make NSS public headers compilable with NO_NSPR_10_SUPPORT defined
Bug 436577: uninitialized variable in sec_pkcs5CreateAlgorithmID
Bug 438685: libpkix doesn’t try all the issuers in a bridge with multiple certs
Bug 438876: signtool is still using static libraries.
Bug 439123: Assertion failure in libpkix at shutdown
Bug 440062: incorrect list element count in PKIX_List_AppendItem function
Bug 442618: Eliminate dead function CERT_CertPackageType
Bug 443755: Extra semicolon in PKM_TLSKeyAndMacDerive makes conditional code unconditional
Bug 443760: Extra semicolon in SeqDatabase makes static analysis tool suspicious
Bug 448323: certutil -K doesn’t report the token and slot names for found keys
Bug 448324: ocsp checker returns incorrect error code on request with invalid signing cert
Bug 449146: Remove dead libsec function declarations
Bug 453227: installation of PEM-encoded certificate without trailing newline fails
For a list of the primary NSS documentation pages on mozilla.org, see NSS Documentation. New and revised documents available since the release of NSS 3.11 include the following:
NSS 3.12.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.12.1 shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.
Bugs discovered should be reported by filing a bug report with mozilla.org Bugzilla (product NSS).